Hello I am developing a browser extension. It does Airtable OAuth and then lets the user fetch tables and quickly add records directly from the browser.
Yesterday it all worked well for me and today the Airtable API does not send the appropriate CORS headers.
"Access to fetch at 'https://airtable.com/oauth2/v1/token' from origin 'chrome-extension://bnpbihfpfplcakeplbgbmopmppdkgcdn' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled."
It is indeed true that the preflight request does not have these Access Control headers.
I tried the same request from cURL and it passes there and I get back the tokens just fine so it's clear this is an issue with CORS.
Since CORS worked for me yesterday and does not work today I wonder if Airtable API blocked me? But it's strange as I would expect the whole app via the Client ID blocked, not the specific origin.
I could fix this by introducing a proxy server but I would like to avoid this as it actually makes the whole thing less secure. It would be better if the browser extension users would not have to rely on my web server to be a middle point - a potential point of failure and also security risk. If the CORS is pushing me in this direction it's a little bit unfortunate.
Or am I supposed to introduce a proxy server only for the initial authentication? This would make things partially more secure *for me* because the CLIENT_ID and CLIENT_SECRET would not be exposed to the browser extension. But then all the user tokens flow through my server, so from that perspective I thought it's better to OAuth to Airtable directly.
Thanks for any insights!
